Re: ISE 2.0 Posture without VPN and Provisioning

Florian P · ‎11-23-2017

Hello guys,

I am fairly new to Posture and I have hence a couple questions :

I have read that the only way to implement Posture has to be done with AnyConnect (since NAC Agent is no longer supported). Is there any way to deploy it without it VPN feature ? (Endpoint will be only on our corporate LAN).

Is it mandatory to configure Client Provisioning ? I would rather roll out AnyConnect using SCCM. If yes how can we seamlessly provide posture server information to AnyConnect (From what I understand it is normally done during provisioning from ISE).

Thanks

Francesco Molino · ‎11-23-2017

Hi

You can't install anyconnect without vpn feature as this is the core application from anyconnect.

Even if you deploy it through sccm, you need to configure the client provisioning as it will push the profile file when you'll update it.
You can for example deploy anyconnect posture using sccm and at some point want to deploy a specific language pack or dart for logging, you can just update your client provisioning and all clients will be updated when they will connected back to the network.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Florian P · ‎11-24-2017

Hi Francesco,

Thanks for your answer.

If the application is already deployed, will it still need to be downloaded when the endpoint connect for the 1st time to the network, or is there an option to push only the profile ?

B/R

Florian

Francesco Molino · ‎11-25-2017

Hi

If the client is already installed it won't be downloaded unless the package offered by ISE is newer than the one on the machine.
The profile is checked everytime the host connects and updated accordingly with latest changes if any

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Florian P · ‎11-27-2017

Thanks for your help.

One last question : What files have to be used to deploy the anyconnect client on the endpoint using SCCM and to do client provisioning ? I have downloaded the clients4.5.02036 on the website and imported them in ISE. However it is impossible to put them in the Client Provisioning Policy.

Is ISE 2.0.1 compatible with any version of AnyConnect ? I have only seen compatibility matrix between OS and AnyConnect version

Francesco Molino · ‎11-27-2017

Normally there shouldn't be any issues.
Can you share the package you've downloaded and how it looks like in ise?

For sccm, just download the iso file and you will have all packages in it (msi) that you need to deploy on your devices

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Florian P · ‎11-27-2017

Hi,

I have downloaded the following files :

anyconnect-win-4.5.02036-predeploy-k9.zip - Predeployment package

anyconnect-win-4.5.02036-webdeploy-k9.pkg - I loaded this package in ISE - Client Provisioning Resource.

However I don't find any deployment package.

Is the predeployment package enough or will the endpoint still have to download something when connecting to the network.

Best regards

Francesco Molino · ‎11-28-2017

Hi
The predeployment package is the core vpn software. In addition to that, you'll need the compliance module

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question